All versions of this manual
X
Welcome to Linkurious administration manual v4.0.27. Use the menu to access other documentations.
  1. Introduction
  2. FAQ
  3. Getting started
    1. Version support policy
    2. Release notes
    3. Client requirements
    4. Graph DB Feature Map
  4. Deploying on premise
    1. Technical requirements
    2. Downloading
    3. Installing
    4. Starting Linkurious
    5. Stopping Linkurious
  5. Configuring
  6. Troubleshooting
    1. Checking Linkurious status
    2. Reading the logs
    3. Getting support
    4. Managing licenses
    5. Vulnerabilities
  7. Importing graph data
    1. Neo4j
    2. Memgraph
    3. Amazon Neptune
    4. Cosmos DB
    5. Updating your graph data
  8. Updating Linkurious
    1. Checking for updates
    2. Backing up your data
    3. Update procedure
  9. Configuring data-sources
    1. Neo4j
    2. Amazon Neptune
    3. Memgraph
    4. Cosmos DB
    5. Alternative IDs
    6. Merging data-sources
    7. Advanced settings
  10. Resource management
    1. Managing spaces
  11. Search index
    1. Search Option Comparison
    2. Neo4j Search
    3. Elasticsearch
    4. OpenSearch for Amazon Neptune
    5. Azure Search
    6. Incremental Indexing
    7. Numerical/Date search
  12. User-data store
    1. Migrating to an external database
    2. Backing-up your store
  13. Web server
  14. Authentication
    1. Getting started
    2. LDAP / Active Directory
    3. SSO with Azure AD
    4. SSO with Google
    5. SSO with OpenID Connect
    6. SSO with SAML2 / ADFS
    7. Configuration
  15. Access control
    1. Managing users
    2. Managing groups
    3. Standard access-rights
    4. Property-key access-rights
  16. Guest mode
    1. Guest mode
  17. Data Schema
    1. Property types
    2. Hiding data
    3. Strict mode
  18. Alerts
    1. Configuration
  19. Email Notifications
    1. Configuration
  20. Visualizations appearance
    1. Default styles
    2. Default captions
    3. Default properties order
    4. Geographic tiles
  21. Audit trail
    1. Log format
  22. Webhooks
  23. Observability
  24. Plugins
  25. Deep link
 

Authentication: Configuration

The authentication is configured within the access configuration key in the configuration file (linkurious/data/config/production.json):

  • authRequired (default: true): Whether to require authentication (see below how to enable or disable authentication).

  • guestMode (default: false): Enable the guest mode.

  • loginTimeout (default: Infinity): Seconds of inactivity after which a user is logged out.

  • dataEdition (default: true): Enable the creation, edition, and deletion of nodes and edges in all data-sources. Permissions can be fine-tuned for each group, see the documentation about users and groups. If set to false, all edition requests sent through Linkurious Enterprise to the data-sources will be rejected.

  • widget (default: true): Enable to publish visualizations online. Published visualizations are always accessible by anonymous users.

  • externalUsersGroupMapping (optional): How to map external groups to Linkurious Enterprise groups (see how to configure group mapping).

  • externalUsersAllowedGroups (optional): List of external groups of users allowed to log in into Linkurious Enterprise.

  • externalUserDefaultGroupId (optional): Default group id automatically set for new external users when no other rule is set in externalUsersGroupMapping. This configuration setting should not be used when autoRefreshGroupMapping is true, otherwise it may result in users with no groups to have no access to the data-source.

  • autoRefreshGroupMapping (default: false): If true, when an external user logs in, their groups are reset according to externalUsersGroupMapping and are also not allowed to be updated.

  • ldap (optional): The connection to the LDAP service (see how to configure LDAP).

  • msActiveDirectory (optional): The connection to the Microsoft Active Directory service (see how to configure Active Directory).

  • oauth2 (optional): The connection to an OAuth2/OpenID Connect identity provider (see how to configure Azure AD, Google or a generic OpenID Connect provider).

  • saml2 (optional): The connection to a SAML2 identity provider (see how to configure SAML2 / ADFS).

  • floatingLicenses (default: Infinity): The maximum number of users that can connect to Linkurious Enterprise at the same time.

  • visualizationExport (default: true): Whether exporting visualization data in different formats is enabled for all users or not.

  • disableLocalAuth (optional): If true, users are only able to log in via SSO and the local authentication login form is disabled.

Local vs. external authentication

To access Linkurious Enterprise when authRequired is true, users need accounts in Linkurious Enterprise. Administrators can create accounts directly in Linkurious Enterprise (see how to create users) or rely on an external authentication service.

Linkurious Enterprise supports the following external authentication services:

If your company uses an authentication service that Linkurious Enterprise does not support yet, please get in touch.

When opting for external authentication, it is recommended to have at least one local administrator account configured as a fallback in case the third party authentication provider is unavailable.

Disabling authentication

Authentication can be disabled by setting authRequired to false. When user authentication is disabled, all actions are performed under the special account named Unique User. The unique user has unrestricted access and does not require a password, so anyone can access the platform.

We strongly discourage you to disable user authentication, as this leaves your data accessible to anyone. This option should only be considered in the case of a standalone local installation for evaluation or demonstration purposes.

Enabling authentication

If local authentication is disabled, it can be enabled from Linkurious Enterprise user interface.

Once local authentication is enabled, users need an account to access Linkurious Enterprise. Administrators can create accounts directly in Linkurious Enterprise (see how to create users).

To enable authentication use the Web user interface via the Admin > Users menu:

Enabling authentication, step 1

The following screen will be prompted if authentication is disabled. Click Enable Authentication.

Enabling authentication, step 2

Create an admin account and click Save and enable.

Enabling authentication, step 3

Floating licenses

When access.floatingLicenses is defined, this is the behavior when a new user tries to log into the server while it is full:

  • if any session has been idle for more than 30 minutes, it is kicked to make space for the new user
  • otherwise, if the new user is an administrator, the most idle session is kicked to make space for the new user
  • otherwise, the new user fails to authenticate and gets an error message stating that the server is full.